Cybersecurity Challenges for Boards of Directors

Why directors need to take action!

As a director, your duty of care makes you responsible for cybersecurity, no matter the size of your business or the industry in which you work. Criminals in cyberspace attack all the risks businesses face: corporate account takeover, identity theft, stolen data or intellectual property.

Pragmatically, it is a matter of when, not if, you’ll face a problem. If you have already been hacked, you need to assume you will be hacked again.

Cybersecurity is the word which asks directors: “What are you doing to protect shareholders from unseen criminals?” Like other enterprise-level risks, a systematic approach is needed to deal with these complex issues. The Board can no longer delegate this responsibility to an officer and ignore it.

Future cyber risks for Boards to address

When you build a cybersecurity plan, you need to think about what comes next. There are three likely areas to focus on:

(1) Increased regulation to protect consumers and investors,

(2) Changes in M&A practices, and

(3) New risks created by the Internet of Things (IoT).

Now is the time to consider how these future trends increase your responsibilities to your investors.

New regulations for consumer protection

Governments issue numerous regulations designed to protect consumers and investors. In March 2017, for example, New York State raised the bar by approving a new cybersecurity law. (23 NYCRR 500)

While this law targets financial institutions, it has implications for other industries. If you do business with consumers in New York, you need to be aware of new restrictions and requirements on your commercial activity. Expect other states to follow in New York’s footsteps.

The GDPR creates a comprehensive framework for consumer protection. Regulators enforce these rules by fines of up to 4% of global revenue (with some limits).

New regulations for investor protection

The SEC promulgated its own host of regulations that apply to market participants, exchanges, brokers and RIAs.

As early as 2011, the SEC provided guidance on disclosures and what must be in MD&A reports. If you are a public company director, you are already responsible for these mandates. If you are a director at a private company, you need to assess which of these mandates to consider as best practices to adopt for the protection of your investors.

Directors need more M&A diligence

In the world of M&A: valuations, cybersecurity impacts certainty of close and the post-close transition process. Here is a short list of questions to consider:

How much more will it cost to assess the seller’s cyber readiness?

If you are unsure of the seller’s preparedness, do you reduce the price or walk away?

If you can’t walk away, how do you hedge the risk?

What additional post-close costs are needed for cyber security?

How should you rework the representations and warranties?

Should you increase the holdback or push out the term of the holdback?

Cybersecurity needs to become a component of a strong diligence process. It will require judgment on when to bring in technical resources, as well as how to measure new types of risk.

The IoT is the new battlefield

The Internet of Things (IoT) is here. It encompasses everything from household items (TVs, coffee machines) to industrial, commercial and public infrastructure. Many such devices are “dumb” (in a data sense); they provide data but have no security features.

The IoT includes numerous critical and intelligent devices as well. It’s a lot to take in, and the fallout is just as difficult to predict. As with Y2K, we just don’t know what may happen.

These threats require both offensive and defensive analysis. Criminals could attack your revenue-producing assets to extort profits or damage your reputation. Alternatively, your “dumb” devices can be taken over as zombies to attack websites and other targets. Neither is good.

Consider the historical evidence. The Bowman Avenue Dam in New York was hacked in 2013. Stuxnet was deployed in 2010. State actors conducted these attacks, it’s true, but they give perspective to what a motivated, well-equipped crime syndicate could do. The 2016 Dyn DDoS attack took down a big part of the Internet.

The IoT is considered to be a potentially major new revenue stream for many companies, but the IoT is a new frontier. What risks might you be accepting without fully comprehending first? As the revenue from IoT expands, there will likely be incidents which demand new regulations to protect the public. How does this impact your business strategy and capital expenditures?

What do you, as a director, need to do about it?

What can directors do about cybersecurity?

Directors must protect their shareholders’ tangible and intangible assets, regardless of the form of the threat. Directors need to initiate protective actions and provide on-going oversight for cybersecurity. These efforts should start by committing to a methodical course of action. The path forward starts with:

Accept the situation

Get educated

Put the issues into context

Assess your vulnerabilities

Evaluate the risks

Estimate the costs

Decide to accept, avoid, mitigate or transfer risks

Get help when needed

Test your readiness

Make cyber security a regular board agenda item

Following this path forward is why shareholders elect directors — to protect their vital interests.

Directors do not need to be experts in cybersecurity, but they need to decide how to accept, avoid, mitigate or transfer the risks. Setting a plan, directing management and holding staff accountable are the board’s responsibility.

Bruce Werner is the Managing Director of Kona Advisors LLC and served as an outside director on private company boards for the last three decades. Kona Advisors LLC provides advisory services to the owners, investors and CEOs of private and family-owned businesses. With deep experience in governance, succession planning, finance, strategy and management issues, Kona…